VLANs and Local Boundaries

VLANs as Logical LANs

A virtual LAN, or VLAN, is a logical Layer 2 network. Devices in the same VLAN behave as if they are on the same local Ethernet segment, even if they are connected to different physical switches. Devices in different VLANs are separated at Layer 2. That separation is useful for organizing users, printers, voice phones, guest wireless clients, management interfaces, labs, and other groups that should not all share the same broadcast domain.

The key practical point is that a VLAN is a boundary for broadcasts. ARP requests, DHCP discovery messages, and other broadcast traffic stay inside the VLAN unless a router or Layer 3 device is configured to provide a service across that boundary. If a workstation is accidentally placed into the wrong VLAN, it may not receive the expected DHCP address, may not reach its default gateway, and may not find local services that work for nearby users.

Switch ports are often configured as access ports or trunk ports. An access port normally belongs to one VLAN and is used for endpoint devices such as PCs, printers, access points in simple modes, or desk phones. A trunk port carries traffic for multiple VLANs, commonly between switches, between a switch and a router, or between a switch and a firewall. Trunk links use VLAN tagging, commonly based on IEEE 802.1Q, so the receiving device can tell which VLAN a frame belongs to.

A CCST technician may not be expected to design trunks, but should recognize that a trunk problem can affect many users or several VLANs at once.

VLANs are not the same as IP subnets, but in common small and enterprise networks there is usually a close relationship: one IPv4 subnet is assigned to one VLAN. For example, VLAN 10 might use 192.168.10.0/24 for office users, while VLAN 20 uses 192.168.20.0/24 for guest users. To move traffic between those VLANs, a router, Layer 3 switch, or firewall must route between the subnets. Without routing, a device in VLAN 10 cannot directly communicate with a device in VLAN 20 even if both are cabled to the same switch.

When troubleshooting, compare what the device has with what it should have. If a user in the office VLAN receives an address from the guest subnet, the port or wireless SSID may be mapped to the wrong VLAN. If a phone works but the PC behind the phone does not, there may be a voice/data VLAN issue or a cabling problem. If many users on one switch cannot get DHCP but users elsewhere can, check whether an uplink trunk, allowed VLAN list, or access port assignment was changed by someone with network privileges.

Good ticket notes should include the jack or switch port if known, the client IP address and gateway, whether DHCP or static addressing is used, the connected SSID if wireless is involved, and whether other devices in the same area are affected. VLAN issues often look like address or service failures from the user's point of view, so the technician's job is to map the symptom back to the local Layer 2 boundary.

Study Checkpoint

• Topic: VLANs and Local Boundaries.
• Verify the official Cisco concept before memorizing a shortcut.
• Practice the technician action: observe, document, test, fix when supported, or escalate.